"Bag Attributes" in a private_key.pem file throws a ClassCastException, while it works in MRI

[heisee]

I created the following key.pem with the password demo using the following command:

openssl req -new > cert.csr
openssl rsa -in privkey.pem -out key.pem

Then I added the following 4 lines in front of the key.pem:

Bag Attributes
    localKeyID: 01 00 00 00 
    friendlyName: lp-016f02aa-9b45-4295-baef-2ffc4768178e
    Microsoft CSP Name: Microsoft Strong Cryptographic Provider

because I saw such a file format in the wild.
I think, that these "Bag Attributes" are sometimes generated when converting pkcs12 files (.pfx) into .pem files, like this:

openssl pkcs12 -in input.pfx -nocerts -nodes -out key_temp.pem
openssl rsa -in key_temp.pem -out key.pem

Anyway, let's assume, that we've now this complete key.pem file:

Bag Attributes
    localKeyID: 01 00 00 00 
    friendlyName: lp-016f02aa-9b45-4295-baef-2ffc4768178e
    Microsoft CSP Name: Microsoft Strong Cryptographic Provider
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA1MpBqV1qNPUMu76h+p7I9sVWxBtUZ31czxxlS1BTM4+YqZui
bHiYECXPIQxessP3Hg5C491pQxd+QJu/9hcKusbeT64nnh+WuPGhz2pVWtFbRl6k
Z3Pymdjh495YxxqLrWLnRrz5ZBr0+o2yayM+rxv7bmZ3gCCJfXG8TPJ1pQuGjkD3
vJn2gM49Tz+AoI+mEn0p813ZtF8GmnUTa+6/50B3Fr97XpHxOsXIW1K+ZXOod4DJ
Pc/xzJNisrnk/ncDhNaIGAobS3z5qxsJoMylnNirXcn3NcdZd/JgVJbmoXTJci4d
JDyZ1oRdHcwO4EWjULRiK0XQQO0yvY56VUu55wIDAQABAoIBAQCtAL//1g46fh1b
KzOAksZrM6hGir3F4jupu7lzURxEKHSDOSEGNcnUHxlXEjqP9xmcGxYxMtuZC6m/
F6IrjzJPBs7KU5qsSZx+Qx4+h4Jb8yjVfq8F2VQd1yJY5Hajciar0mScs5nD1NLm
PnwX9TDKp+J1MOPpjQqbrfPdT6dshgR5r70eQPAdhwjWAzSygeK+L/kLv1vh1eZD
Ak1JxbwE3HdT529jiATJ3hE+6gX6wQoxvpF5dgzqZDZBUcensae1II0izHUu6YED
SAjTbLFSjpUdEfYKSNN1tyBWbs6fFlnDTqS9eeM0n2S84x9o25BXPSYphk4WvP53
hfV+yimBAoGBAP4yP9qAbCzMF8pIll4Lj/BOxFbcqTNrhSiUaVvDWKKhauEY9/0j
Bn+vVQ7VVW0iOZMogZZ10hUqiY6/ff1TAnIQtCkMQjdm9apYMl+PdfsVSBvaAG5u
v/JoiIKKDBM9f6nN/oOU7kstROZi91yxst0+MsmSEZdYfiEQs/5lNA6nAoGBANZM
ysuJ72dw+4IJABMURKdk0cJMVjQr0EDAn1Il4jvMRcBsVmmD/sA1umbVKEez4PMj
x/5DQRcCv40w8rU/qgRGATMSv9VFTZCEgrigyPebhLRgeTsTzRxCt+WE3IbOgzpg
G8kksLSmOk/Eu9EUeajSv2oCrPn80HX1MD/x4aLBAoGBAJ16Ufay4tFp6z8lcwp2
TUkJ8zcA4034yXjXYOI5hjrSl502U8QeI9OMsrxKy+6dal/Rk168RVdZj/jAh3Qe
LgCuen6Hmqop/f33P9XV0bioeZDPoL7Jm964hgGhNlPhIKr49DleVbZ7KBk2rJpf
eDj6ZIpeFMnXR+SCLZBn8DU3AoGBAJqsVnrOFfNtQrq6UEl1CZBgXl2Ex3tkXC1A
Wj3qhf1vFLEsALqrwIVuwhlSpH4MQMJ9Au5sEGDRZPw9ZhCX4NiwxlDcqYT/Plqe
qdMkiajdoMyoDRgs1JAfP6fzW1AZYfISSDvHtZrNl6zXbFAeHSlS40FaqQrOBI/+
5lJg/OCBAoGAfRUNgwS+TvrfFgCQ1kfXbUYi1c5ZQn0Z75vTUv24Eby0RjtmkwuA
H7OPMcmzYKw6xSuayCIhucY/QL0piXr8/Dm/XcvoTv1NNNYh4gV7FbaWhgLpkfhV
d/HB6PnhDFJieB2AmrmM/f3V2fgFDTFuqthJbXde5UeX1gD9ISmwXZw=
-----END RSA PRIVATE KEY-----

Problem is, that MRI reads it in two ways, while JRuby only in one way:

rvm ruby-2.3.0 do ruby -e "require 'openssl' ; puts OpenSSL::PKey::RSA.new(File.read('key.pem'), 'demo').class" 
=> OpenSSL::PKey::RSA

rvm ruby-2.3.0 do ruby -e "require 'openssl' ; puts OpenSSL::PKey.read(File.read('key.pem'), 'demo').class"
=> OpenSSL::PKey::RSA

rvm jruby-9.1.5.0 do ruby -e "require 'openssl' ; puts OpenSSL::PKey::RSA.new(File.read('key.pem'), 'demo').class" 
=> OpenSSL::PKey::RSA

rvm jruby-9.1.5.0 do ruby -e "require 'openssl' ; puts OpenSSL::PKey.read(File.read('key.pem'), 'demo').class"
Unhandled Java exception: java.lang.ClassCastException: org.bouncycastle.asn1.DERApplicationSpecific cannot be cast to org.bouncycastle.asn1.ASN1Sequence
java.lang.ClassCastException: org.bouncycastle.asn1.DERApplicationSpecific cannot be cast to org.bouncycastle.asn1.ASN1Sequence
    readRSAPrivateKey at org/jruby/ext/openssl/impl/PKey.java:173
    readRSAPrivateKey at org/jruby/ext/openssl/impl/PKey.java:168
       readPrivateKey at org/jruby/ext/openssl/impl/PKey.java:124
                 read at org/jruby/ext/openssl/PKey.java:120
                 call at org/jruby/ext/openssl/PKey$PKeyModule$INVOKER$s$0$1$read.gen:-1
                 call at org/jruby/internal/runtime/methods/JavaMethod.java:724
                 call at org/jruby/internal/runtime/methods/DynamicMethod.java:205
         cacheAndCall at org/jruby/runtime/callsite/CachingCallSite.java:358
                 call at org/jruby/runtime/callsite/CachingCallSite.java:195
    invokeOther5:read at -e:1
               <main> at -e:1
  invokeWithArguments at java/lang/invoke/MethodHandle.java:627
                 load at org/jruby/ir/Compiler.java:111
            runScript at org/jruby/Ruby.java:834
          runNormally at org/jruby/Ruby.java:749
          runNormally at org/jruby/Ruby.java:767
          runFromMain at org/jruby/Ruby.java:580
        doRunFromMain at org/jruby/Main.java:425
          internalRun at org/jruby/Main.java:313
                  run at org/jruby/Main.java:242
                 main at org/jruby/Main.java:204

When the 4 first lines, the "Bag Attributes", are removed from the .pem file, it also works with the JRuby:

rvm jruby-9.1.5.0 do ruby -e "require 'openssl' ; puts OpenSSL::PKey.read(File.read('key.pem'), 'demo').class"
=> OpenSSL::PKey::RSA

I found this style of reading the private key file in the HTTPI gem; the commit that introduced it is here: savonrb/httpi#118

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/37898323-bag-attributes-in-a-private_key-pem-file-throws-a-classcastexception-while-it-works-in-mri?utm_campaign=plugin&utm_content=tracker%2F136995&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F136995&utm_medium=issues&utm_source=github).